LastPass was hacked, but it says no user data was compromised
In August, LastPass admitted that an "unauthorized party" entered its system. Any news of a hacked password manager can be alarming, but the company is now reassuring its users that their credentials and other information were not compromised during the event.
In his latest update on the incident, LastPass CEO Karim Toubba said the company's investigation with cybersecurity firm Mandiant revealed that the bad actor had gained internal access to its systems for four days. They were able to steal some source code and technical information from the password manager, but their access was limited to the service's development environment which is not connected to customer data and encrypted vaults. Additionally, Toubba pointed out that LastPass does not have access to users' master passwords, which are needed to decrypt their vaults.
The CEO said there was no evidence that this incident "involved access to customer data or encrypted password vaults." They also found no evidence of unauthorized access beyond those four days and any trace that the hacker injected malicious codes into the systems. Toubba explained that the bad actor was able to infiltrate the service's systems by compromising a developer's endpoint. The hacker then impersonated the developer "once the developer successfully authenticated using multi-factor authentication".
In 2015, LastPass suffered a security breach that compromised user email addresses, authentication hashes, password reminders, and other information. A similar breach would be more devastating today, now that the service has over 33 million registered customers. Although LastPass isn't asking users to do anything to protect their data this time around, it's still a good practice to not reuse passwords and enable multi-factor authentication.
All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you purchase something through one of these links, we may earn an affiliate commission. All prices correct at time of publication.
In August, LastPass admitted that an "unauthorized party" entered its system. Any news of a hacked password manager can be alarming, but the company is now reassuring its users that their credentials and other information were not compromised during the event.
In his latest update on the incident, LastPass CEO Karim Toubba said the company's investigation with cybersecurity firm Mandiant revealed that the bad actor had gained internal access to its systems for four days. They were able to steal some source code and technical information from the password manager, but their access was limited to the service's development environment which is not connected to customer data and encrypted vaults. Additionally, Toubba pointed out that LastPass does not have access to users' master passwords, which are needed to decrypt their vaults.
The CEO said there was no evidence that this incident "involved access to customer data or encrypted password vaults." They also found no evidence of unauthorized access beyond those four days and any trace that the hacker injected malicious codes into the systems. Toubba explained that the bad actor was able to infiltrate the service's systems by compromising a developer's endpoint. The hacker then impersonated the developer "once the developer successfully authenticated using multi-factor authentication".
In 2015, LastPass suffered a security breach that compromised user email addresses, authentication hashes, password reminders, and other information. A similar breach would be more devastating today, now that the service has over 33 million registered customers. Although LastPass isn't asking users to do anything to protect their data this time around, it's still a good practice to not reuse passwords and enable multi-factor authentication.
All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you purchase something through one of these links, we may earn an affiliate commission. All prices correct at time of publication.
What's Your Reaction?
